Adaptive One-way Functions and Applications

Transcription

1 Adaptive One-way Functions and Applications Omkant Pandey 1, Rafael Pass 2, and Vinod Vaikuntanathan 3 1 UCLA 2 Cornell University 3 MIT Abstract. We introduce new and general complexity theoretic hardness assumptions. These assumptions abstract out concrete properties of a random oracle and are significantly stronger than traditional cryptographic hardness assumptions; however, assuming their validity we can resolve a number of long-standing open problems in cryptography. Keywords. Cryptographic Assumptions, Non-malleable Commitment, Non-malleable Zero-knowledge 1 Introduction The state-of-the-art in complexity theory forces cryptographers to base their schemes on unproven hardness assumptions. Such assumptions can be general (e.g., the existence of one-way functions) or specific (e.g., the hardness of RSA or the Discrete logarithm problem). Specific hardness assumptions are usually stronger than their general counterparts; however, as such assumptions consider primitives with more structure, they lend themselves to constructions of more efficient protocols, and sometimes even to the constructions of objects that are not known to exist when this extra structure is not present. Indeed, in recent years, several new and more exotic specific hardness assumptions have been introduced (e.g., [12, 4, 11]) leading to, among other things, signatures schemes with improved efficiency, but also the first provably secure construction of identitybased encryption. In this paper, we introduce a new class of strong but general hardness assumptions, and show how these assumptions can be used to resolve certain longstanding open problems in cryptography. Our assumptions are all abstractions of concrete properties of a random oracle. As such, our results show that for the problems we consider, random oracles are not necessary; rather, provably secure constructions can be based on concrete hardness assumptions. Supported by NSF CAREER Grant No. CCF , AFOSR Award No. FA , BSF Grant No Supported in part by NSF Grant CNS

2 1.1 Adaptive Hardness Assumptions We consider adaptive strengthenings of standard general hardness assumptions, such as the existence of one-way functions and pseudorandom generators. More specifically, we introduce the notion of collections of adaptive 1-1 one-way functions and collections of adaptive pseudorandom generators. Intuitively, A collection of adaptively 1-1 one-way functions is a family of 1-1 functions F n = {f tag : {0, 1} n {0, 1} n } such that for every tag, it is hard to invert f tag (r) for a random r, even for an adversary that is granted access to an inversion oracle for f tag for every tag tag. In other words, the function f tag is one-way, even with access to an oracle that invert all the other functions in the family. A collection of adaptive pseudo-random generators is a family of functions G n = G tag : {0, 1} n {0, 1} m such that for every tag, G tag is a pseudorandom even if given access to an oracle that decides whether given y is in the range of G tag for tag tag. Both the above assumptions are strong, but arguably not unrealistically strong. Indeed, both these assumptions are satisfied by a (sufficiently) length-extending random oracle. 4 As such, they provide concrete mathematical assumptions that can be used to instantiate random oracles in certain applications. We also present some concrete candidate instantiations of these assumptions. For the case of adaptive 1-1 one-way functions, we provide construction based on the the adaptive security of Factoring, or the Discrete Log problem. For the case of adaptive PRGs, we provide a candidate construction based on a generalization of the advanced encryption standard (AES). Related Assumptions in the Literature. Assumptions of a related flavor have appeared in a number of works. The class of one-more assumptions introduced by Bellare, Namprempre, Pointcheval and Semanko [4] are similar in flavor. Informally, the setting of the one-more RSA-inversion problem is the following: The adversary is given values z 1, z 2,..., z k Z N (for a composite N = pq, a product of two primes) and is given access to an oracle that computes RSA inverses. The adversary wins if the number of values that it computes an RSA inverse of, exceeds the number of calls it makes to the oracle. They prove the security of Chaum s blind-signature scheme under this assumption. This flavor of assumptions has been used in numerous other subsequent works [5, 6]. Even more closely related, Prabhakaran and Sahai [31] consider an assumption of the form that there are collision-resistant hash functions that are secure even if the adversary has access to a collision-sampler. In a related work, Malkin, Moriarty and Yakovenko [24] assume that the discrete logarithm problem in Z p (where p is a k-bit prime) is hard even for an adversary that has access to an oracle that computes discrete logarithms in Z q for any k-bit prime 4 Note that a random function over, say, {0, 1} n {0, 1} 4n is 1-1 except with exponentially small probability.

3 q p. Both these works use the assumption to achieve secure computation in a relaxation of the universal composability framework. (In a sense, their work couples the relaxed security notion to the hardness assumption. In contrast, we use adaptive hardness assumptions to obtain protocols that satisfy the traditional notion of security.) 1.2 Our Results Non-Interactive Concurrently Non-Malleable Commitment Schemes. Non-malleable commitment schemes were first defined and constructed in the seminal paper of Dolev, Dwork and Naor [17]. Informally, a commitment scheme is non-malleable if no adversary can, upon seeing a commitment to a value v, produce a commitment to a related value (say v 1). Indeed, non-malleability is crucial to applications which rely on the independence of the committed values. A stronger notion called concurrent non-malleability requires that no adversary, after receiving commitments of v 1,..., v m, can produce commitments to related values ṽ 1,..., ṽ m ; see [28, 23] for a formal definition. The first non-malleable commitment scheme of [17] was interactive, and required O(log n) rounds of interaction, where n is a security parameter. Barak [1] and subsequently, Pass and Rosen [29, 28] presented constant-round non-malleable commitment schemes; the protocols of [29, 28] are the most round-efficient (requiring 12 rounds) and the one of [28] is additionally concurrently non-malleable. We note that of the above commitment schemes, [17] is the only one with a blackbox proof of security, whereas the schemes of [1, 29, 28] rely on the non-black-box proof technique introduced by Barak [1]. 5 Our first result is a construction of a non-interactive, concurrently nonmalleable string commitment scheme, from a family of adaptive one-way permutations; additionally our construction only requires a black-box proof of security. Theorem 1 (Informal). Assume the existence of collections of adaptive 1-1 permutations. Then, there exists a non-interactive concurrently non-malleable string commitment scheme with a black-box proof of security. If instead assuming the existence of adaptive PRGs, we show the existence of 2-round concurrent non-malleable commitment with a black-box proof of security. Theorem 2 (Informal). Assume the existence of collections of adaptive PRGS. Then, there exists a 2-round concurrently non-malleable string commitment scheme with a black-box proof of security. 5 Subsequent to this work, Lin, Pass and Venkitasubramaniam [23] have presented constructions of concurrent non-malleable commitments using a black-box security proof, based on only one-way functions. Their construction, however, uses O(n) communication rounds.

4 Round-optimal Black-box Non-malleable Zero-knowledge. Intuitively, a zeroknowledge proof is non-malleable if a man-in-the-middle adversay, receiving a proof of a statement x, will not be able to provide a proof of a statement x x unless he could have done so without hearing the proof of x. Dolev, Dwork and Naor [17] defined non-malleable zero-knowledge (ZK) and presented an O(log n)- round ZK proof system. Barak [1] and subsequently, Pass and Rosen [29] presented constant-round non-malleable ZK argument system. Again, the protocol of [17] is the only one with a black-box proof of security. We construct a 4-round non-malleable ZK argument system with a black-box proof of security (that is, a black-box simulator). Four rounds is known to be optimal for black-box ZK [20] (even if the protocol is not required to be nonmalleable) and for non-malleable protocols (even if they are not required to be ZK) [22]. Theorem 3 (Informal). Assume the existence of collections of adaptive 1-1 one-way function. Then, there exists a 4-round non-malleable zero-knowledge argument system with a black-box proof of security. Assume, instead, the existence of collections of adaptive one-way permutations. Then, there exists a 5-round non-malleable zero-knowledge argument system with a black-box proof of security. It is interesting to note that the (seemingly) related notion of concurrent zero-knowledge cannot be achieved in o(log n) rounds with a black-box proof of security. Thus, our result shows that (under our new assumptions), the notion of non-malleability and concurrency in the context of ZK are quantitatively different. Efficient Chosen-Ciphertext Secure Encryption. Chosen ciphertext (CCA) security was introduced in the works of [26, 32] and has since been recognized as a sine-qua-non for secure encryption. Dolev, Dwork and Naor [17] gave the first construction of a CCA-secure encryption scheme based on general assumptions. Their construction, and the subsequent construction of Sahai [33], uses the machinery of non-interactive zero-knowledge proofs, which renders them less efficient than one would like. In contrast, the constructions of Cramer and Shoup [15, 16] are efficent, but are based on specific number-theoretic assumptions. Bellare and Rogaway [7] proposed an encryption scheme that is CCA-secure in the random oracle model (see below for more details about the random oracle model). We show complexity-theoretic assumptions that are sufficient to replace the random oracle in this construction. We mention that, previously, Canetti [13] showed how to replace random oracles in a related construction to get a semantically secure encryption scheme, but without CCA security. In a more recent work, Boldyreva and Fischlin [10] also show how to obtain a weakened notion of non-malleability, but still without CCA security. Interactive Arguments for which Parallel-repetition does not reduce the soundness error. A basic question regarding interactive proofs is whether parallel

5 repetition of such protocols reduces the soundness error. Bellare, Impagliazzo and Naor [3] show that there are interactive arguments (i.e., computationallysound) proofs in the Common Reference String (CRS) model, for which parallelrepetition does not reduce the soundness error. Their construction relies on nonmalleable encryption, and makes use of the CRS to select the public-key for this encryption scheme. However, if instead relying on a non-interactive concurrent non-malleable commitment scheme in their construction, we can dispense of the CRS altogether. Thus, by Theorem 1, assuming the existence of collections of adaptive 1-1 one-way functions, we show that there exists an interactive argument for which parallel repetition does not reduce the soundness error. We also mention that the same technique can be applied also to the strengthened construction of [30]. Our Techniques. Our constructions are simple and efficient. In particular, for the case of non-malleable commitment schemes, we show that appropriate instantiations of the Blum-Micali [9] or Naor [25] commitment schemes in fact are non-malleable. The proof of these schemes are also relatively straight-forward and follow nicely from the adaptive property of the underlying primitives. Next, we show that by appropriately using our non-malleable commitment protocols in the Feige-Shamir [18] ZK argument for N P, we can also get a roundoptimal black-box non-malleable ZK proof for N P. Although the construction here is straight-forward, its proof of correctness is less so. In particular, to show that our protocol is non-malleable, we rely on a techniques that are quite different from traditional proofs of non-malleability: in particular, the power of the adaptive oracle will only be used inside hybrid experiments; the simulation, on the other hand, will proceed by traditional rewinding. Interestingly, to get a round-optimal solution, our proof inherently relies on the actual Feige-Shamir protocol and high-lights some novel features of this protocol. Interpreting Our Results. We offer two interpretations of our results: The optimistic interpretation: Although our assumptions are strong, they nonetheless do not (a priori) seem infeasible. Thus, if we believe that e.g., AES behaves as an adaptively secure PRG, we show efficient solutions to important open questions. The conservative interpretation: As mentioned, our constructions are blackbox; namely, both the construction of the cryptographic objects and the associated security proof utilize the underlying primitive adaptive one-way permutations or adaptive PRGs as a black-box, and in particular, do not refer to a specific implementation of these primitives. Thus, a conservative way to view our results is that to show even black-box lower-bounds and impossibility results for non-interactive concurrent non-malleable commitments and non-malleable zero-knowledge proofs, one first needs to to refute our assumptions. Analogously, it means that breaking our CCA-secure encryptions scheme, or proving a general parallel-repetition theorem for interactive arguments, first requires refuting our assumptions.

6 A cryptographer could choose to make mild assumptions such as P N P, relatively mild ones such as the existence of one-way functions, secure encryption schemes or trapdoor permutations, or preposterous ones such as this scheme is secure. Whereas preposterous assumptions clearly are undesirable, mild assumptions are given the state-of-the-art in complexity theory too weak for cryptographic constructions of non-trivial tasks. Relatively mild assumptions, on the other hand, are sufficient for showing the feasibility of essentially all known cryptographic primitives. Yet, to obtain efficient constructions, such assumptions are given the currentstate-of-art not sufficient. In fact, it is a priori not even clear that although feasibility of a cryptographic task can be based on a relatively mild assumptions, that an efficient construction of the primitive is possible (at all!). One approach to overcome this gap is the random oracle paradigm, introduced in the current form by Bellare and Rogaway [7]: the proposed paradigm is to prove the security of a cryptographic scheme in the random-oracle model where all parties have access to a truly random function and next instantiate the random oracle with a concrete function with appropriate properties. Nevertheless, as pointed out in [14] (see also [21, 2]) there are (pathological) schemes that can be proven secure in the random oracle model, but are rendered insecure when the random oracle is replaced by any concrete function (or family of functions). In this work we, instead, investigate a different avenue for overcoming this gap between theory and practice, by introducing strong, but general, hardness assumption. When doing so, we, of course, need to be careful to make sure that our assumptions (although potentially funky ) are not preposterous. One criterion in determining the acceptability of a cryptographic assumption A is to consider (1) what the assumption is used for (for instance, to construct a primitive P, say) and (2) how much more complex the primitive P is, compared to A. For example, a construction of a pseudorandom generator assuming a one-way function is non-trivial, whereas the reverse direction is not nearly as interesting. Unfortunately, the notion of complexity of an assumption is hard to define. We here offer a simple interpretation: view complexity as succinctness. General assumption are usually more succinct than specific assumptions, one-way functions are easier to define than, say, pseudorandom functions. Given this point of view, it seems that our assumptions are not significantly more complex than traditional hardness assumption; yet they allow us to construct considerably more complex objects (e.g., non-malleable zero-knowledge proofs). On Falsifiability/Refutability of Our Assumptions. Note that the notions of nonmalleable commitment and non-malleable zero-knowledge both are defined using simulation-based definitions. As such, simply assuming that a scheme is, say, non-malleable zero-knowledge, seems like a very strong assumption, which is hard to falsify 6 in fact, to falsify it one needs to show (using a mathematical proof) that no Turning machine is a good simulator. In contrast, to falsify our 6 Recall that falsifiability is Popper s classical criterion for distinguishing scientific and pseudo-scientific statements.

7 assumptions it is sufficient to exhibit an attacker (just as with the traditional cryptographic hardness assumptions). To make such qualitative differences more precise, Naor [27] introduced a framework for classifying assumptions, based on how practically an assumption can refuted. Whereas non-malleability, a priori, seems impossible to falsify (as there a-priori is not a simple way to showing that no simulator exists). In contrast, traditional assumptions such as factoring is hard can be easily refuted simply by publishing challenges that a falsifier is required to solve. Our assumptions cannot be as easily refuted, as even if a falsifier exhibits an attack against a candidate adaptive OWF, it is unclear how to check that this attack works. However, the same can be said also for relatively mild (and commonly used) assumptions, such as factoring is hard for subexponential-time. 7 Additionally, we would like to argue that our assumptions enjoy a similar win/win situation as traditional cryptographic hardness assumptions. The adaptive security of the factoring or discrete logarithm problems seem like natural computational number theoretic questions. A refutation of our assumptions (and its implication to factoring and discrete logarithm problem) would thus be interesting in its own right. Taken to its extreme, this approach suggest that we might even consider assumptions that most probably are false, such as e.g., assuming that AES is an (adaptive one-way) permutation, as long as we believe that it might be hard to prove that the assumption is false. 2 New Assumptions and Definitions The following sections introduce our definitions of adaptively secure objects one-way functions, pseudorandom generators and commitment schemes and posit candidate constructions for adaptively secure one-way functions and pseudorandom generators. 2.1 Adaptive One-Way Functions In this paper, we define a family of adaptively secure injective one-way functions, where each function in the family is specified by an index tag {0, 1} n. The adaptive security requirement says the following: consider an adversary that picks an index tag and is given y = f tag (x ) for a random x in the domain of f tag, and the adversary is supposed to compute x. The adversary, in addition, has access to a magic oracle that on input (tag, y) where tag tag, and get back ftag 1 (y). In other words, the magic oracle helps invert all functions f tag different from the target function f tag. The security requirement is that the 7 Note that the assumption that factoring is hard for subexponential-time can be falsified by considering a publishing a very short challenge (of length polylogn). However, in the same vein, our assumption can be falsified by considering challenges of length log n; then it is easy to check if someone can exhibit an efficient attack on the adaptive security of an assumed one-way function, since the inverting oracle can also be efficiently implemented.

8 adversary have at most a negligible chance of computing x, even with this added ability. Note that the magic oracle is just a fictitious entity, which possibly does not have an efficient implementation (as opposed to the decryption oracle in the definition of CCA-security for encryption schemes which can be implemented efficiently given the secret-key). More formally, Definition 1 (Family of Adaptive One-to-one One-way Functions). A family of injective one-way functions F = {f tag : D tag {0, 1} } tag {0,1} n is called adaptively secure if, (Easy to sample and compute.) There is an efficient randomized domainsampler D, which on input tag {0, 1} n, outputs a random element in D tag. There is a deterministic polynomial algorithm M such that for all tag {0, 1} n and for all x D tag, M(tag, x) = f tag (x). (Adaptive One-wayness.) Let O(tag,, ) denote an oracle that, on input tag and y outputs f 1 tag (y) if tag tag, tag = tag and otherwise. The family F is adaptively secure if, for any probabilistic polynomial-time adversary A, there exists a negligible function µ such that for all n, and for all tags tag {0, 1} n, Pr[x D tag : A O(tag,, ) (tag, f tag (x)) = x] µ(n) where the probability is over the random choice of x and the coin-tosses of A. A potentially incomparable assumption is that of an adaptively secure injective one-way function (as opposed to a family of functions); here the adversary gets access to an oracle that inverts the function on any y that is different from the challenge y (that the adversay is supposed to invert). However, it is easy to see that an adaptively secure one-way function with subexponential security and a dense domain implies a family of adaptively secure one-way functions, as defined above. In fact, our construction of a family of adaptively secure one-way functions based on factoring goes through this construction. Hardness Amplification. A strong adaptively secure one-way function is one where no adversary can invert the function with probability better than some negligible function in k (even with access to the inversion oracle). A weak one, on the other hand, only requires that the adversary not be able to invert the function with a probability better than 1 1/poly(k) (even with access to the inversion oracle). We remark that we can construct a collection of strong adaptively secure one-way function from a collection of weak adaptively secure one-way function. The construction is the same as Yao s hardness amplification lemma. We defer the details to the full version. Candidates We now present candidates for adaptively secure one-way functions, based on assumptions related to discrete-log and factoring.

9 Factoring. First, we show how to build an adaptively secure one-way function (not a family of functions) from the factoring assumption. Then, we show how to turn it into a family of functions, assuming, in addition, that factoring is subexponentially-hard. The domain of the function f is {(p, q) p, q P n, p < q}, where P n is the set of all n-bit primes. Given this notation, f(p, q) is defined to be pq. Assuming that it is hard to factor a number N that is a product of primes, even with access to an oracle that factors all other products of two primes, this function is adaptively secure. We now show how to turn this into a family of adaptively secure one-way functions. The index is simply an n = n 1/ɛ -bit string (for some ɛ > 0) i = (i 1, i 2 ). The domain is the set of all strings (j 1, j 2 ) such that p = i 1 j 1 and q = i 2 j 2 are both n-bit primes. The function then outputs pq. Since we reveal the first n = n 1/ɛ bits of the factors of N = pq, we need to assume that factoring is subexponentially hard (even with access to an oracle that factors other products of two primes). The function is clearly injective since factoring forms an injective function. In the full version, we additionally provide candidates for adaptive oneway functions based on the RSA and Rabin functions. Discrete Logarithms. The family of adaptive OWFs F DL is defined as follows: The domain of the function is a tuple (p, g, x) such that p is a 2n-bit prime p whose first n bits equal the index i, g is a generator for Z p and x is a 2n 1- bit number. The domain is easy to sample the sampler picks a long-enough random string r and a 2n 1-bit number x. The function f i uses r to sample a 2n-bit prime p whose first n bits equal i (this can be done by repeated sampling, and runs in polynomial time assuming a uniformness conjecture on the density of primes in large intervals) and a generator g Z p. The output of the function on input (p, g, x) is (p, g, g x mod p). f i is injective since the output determines p and g; given p and g, g x mod p next determines x uniquely since x < 2 2n 1 and p, being a 2n-bit prime, is larger than 2 2n 1. We also mention that the adaptive security of this family can be based on the subexponential adaptive security of the one-way function (as opposed to family) obtained by simply sampling random p, g, x (or even random p being a safe prime) and outputting p, g, g x. (In the full version of the paper, we additionally show how to obtain our results under a different variant of polynomial-time adaptive hardness of the above one-way function; roughly speaking, the variant we require here is that the adversary gets access to an oracle that inverts the function on any input length.) 2.2 Adaptive Pseudorandom Generator A family of adaptively secure pseudorandom generators G = {G tag } tag {0,1} is defined in a similar way to an adaptive one-way function. We require that the output of the generator G, on a random input x and an adversarially chosen tag be indistinguishable from uniform, even for an adversary that can query a magic

10 oracle with a value (tag, y) (where tag tag) and get back 0 or 1 depending on whether y is in the range of G tag or not. Definition 2 (Adaptive PRG). A family of functions G = {G tag : {0, 1} n {0, 1} s(n) } tag {0,1} n is an adaptively secure pseudorandom generator (PRG) if G tag (x) = s( x ) for some function s such that s(n) n for all n and, (efficient computability.) There is a deterministic polynomial-time algorithm M G such that M G (x, tag) = G tag (x). (Adaptive Pseudorandomness.) Let O(tag,, ) denote an oracle that, on input (tag, y) such that tag tag, tag = tag, outputs 1 if y is in the range of G tag and 0 otherwise. The PRG G is adaptively secure if, for any probabilistic polynomial-time adversary A, there exists a negligible function µ such that for all n and for all tags tag {0, 1} n, Pr[y G tag (U n ) : A O(tag,, ) (y) = 1] Pr[y U m : A O(tag,, ) (y) = 1] µ(n) where the probability is over the random choice of y and the coin-tosses of A. Candidates For the case of adaptive PRGs, we provide a candidate construction based on the advanced encryption standard (AES). AES is a permutation on 128 bits; that is, for a 128-bit seed s, AES s is a permutation defined on {0, 1} 128. However, due to the algebraic nature of the construction of AES, it can easily be generalized to longer input length. Let AES n denote this generalized version of AES to n-bit inputs. Our candidate adaptive pseudorandom generator AESG tag is simply AESG tag (s) = AES s (tag 0) AES s (tag 1). 2.3 Adaptively Secure Commitment Schemes In this subsection, we define adaptively secure commitment schemes. Let {Com tag = S tag, R tag } tag {0,1} denote a family of commitment protocols, indexed by a string tag. We require that the commitment scheme be secure, even against an adversary that can query a magic oracle on the transcript of a commitment interaction and get back a message that was committed to in the transcript. More precisely, the adversary picks an index tag and two equal-length strings x 0 and x 1 and gets a value y b = Com tag (x b ; r), where b is a random bit and r is random. The adversary can, in addition, query a magic oracle on (y, tag ) where tag tag and get back the some x such that y Com tag (x ; r ) (if y is a legal commitment) and otherwise. 8 The security requirement is that the adversary cannot distinguish whether y b was a commitment to x 0 or x 1, even with this extra power. 8 In case the transcript corresponds to the commitment of multiple messages, the oracle returns a canonical one of them. In fact, one of our commitment schemes is perfectly binding and thus, does not encounter this problem.

11 Definition 3 (Adaptively-Secure Commitment). A family of functions {Com tag } tag {0,1} is called an adaptively secure commitment scheme if S tag and R tag are polynomial-time and Statistical Binding: For any tag, over the coin-tosses of the receiver R, the probability that a transcript S, R tag has two valid openings is negligible. Adaptive Security: Let O(tag,, ) denote the oracle that, on input tag tag, tag = tag and c, returns an x {0, 1} l(n) if there exists strings r S and r R, such that c is the transcript of the interaction between S with input x and random coins r S and R with random coins r R, and otherwise. For any probabilistic polynomial-time oracle TM A, there exists a negligible function µ( ) such that for all n, for all tag {0, 1} n and for all x, y {0, 1} l(n), Pr[c Stag (x), R tag ; A O(tag,, ) (c, tag) = 1] Pr[c S tag (y), R tag ; A O(tag, ) (c, tag) = 1] µ(n) 3 Non-Malleable Commitment Schemes In this section, we construct non-malleable string-commitment schemes. We first construct adaptively-secure bit-commitment schemes based on an adaptively secure injective OWF and an adaptively secure PRG the first of these constructions is non-interactive and the second is a 2-round commitment scheme. We then show a simple concatenation lemma, that constructs an adaptively secure string commitment scheme from an adaptively-secure bit-commitment scheme. Finally, we show that an adaptively secure commitment scheme are also concurrently non-malleable. The complete proofs are deferred to the full version. Lemma 1. Assume that there exists a family of adaptively secure injective oneway functions. Then, there exists an adaptively secure bit-commitment scheme. Furthermore, the commitment scheme is non-interactive. Further, assuming the existence of a family of adaptively secure pseudorandom generators, there exists a 2-round adaptively secure bit-commitment scheme. The first of these constructions follows by replacing the injective one-way function in the Blum-Micali [9] commitment scheme, with an adaptively secure one, and the second follows from the Naor commitment scheme [25] in an analogous way. Lemma 2 (Concatenation Lemma). If there is an adaptively secure family of bit-commitment schemes, then there is an adaptively secure family of stringcommitment schemes. The concatenation lemma follows by simply committing to each bit of the message independently using a single-bit commitment scheme Com tag. Finally, in the full version we show that any adaptively secure commitment scheme is concurrenly non-malleable according to the definition of [23]. The proof is essentially identical to the proof of [17] that any CCA-secure encryption scheme is also non-malleable.

12 Lemma 3. If {Com tag } tag {0,1} n is a tag-based adaptively secure commitment scheme, then it is also concurrently non-malleable. 4 Four-Round Non-Malleable Zero-Knowledge In this section, we present a 4-round non-malleable zero-knowledge argument system. We start by reviewing the notion of non-malleable zero-knowledge [17] and refer the reader to [29] for a formal definition of the notion we consider in this work. Non-malleable ZK proofs: An informal definition. Let Π tag be a tag-based family of ZK proofs. Consider a man-in-the-middle adversary that participates in two interactions: in the left interaction the adversary A is verifying the validity of a statement x by interacting with an honest prover P using tag. In the right interaction A proves the validity of a statement x to the honest verifier V using tag tag. The objective of the adversary is to convince the verifier in the right interaction. Π tag is, roughly speaking, non-malleable, if for any manin-the-middle adversary A, there exists a stand-alone prover S that manages to convince the verifier with essentially the same probability as A (without receiving a proof on the left). Our protocol. The argument system is the Feige-Shamir protocol [18], compiled with an adaptively secure commitment scheme. In our analysis we rely on the following properties of the Feige-Shamir protocol: The first prover message is (perfectly) independent of the witness used by the prover (and even the statement). This property has previously been used to simplify analysis, but here we inherently rely on this property to enable our analysis. Given a random accepting transcript, and the openings of the commitments in the first message, it is possible to extract a witness. In other words, any transcript implicitly defines a witness; additionally, given a random transcript, this witness will be valid with a high probability (if the transcript is accepting). In what follows, we present a sketch of the protocol and the proof. The complete proof is deferred to the full version. 4.1 An Adaptively Secure WI Proof of Knowledge The main component in the NMZK protocol is a three-round witnessindistinguishable (WI) proof of knowledge (POK); see [19] for a definition of witness indistinguishability and proof of knowledge. The protocol is simply a parallelization of the 3-round ZK proof Π for the N P-complete language of Hamiltonicity [8, 18], with the only change that the commitment scheme used in the proof is adaptively secure. Let Π tag denote this family of protocols; it is a family which is parameterized by the tag of the adaptively secure commitment. We show that this family of protocols satisfy two properties:

13 it has an adaptive WI property which, roughly stated, means that the transcripts of the protocol when the prover uses two different witnesses w 1 and w 2 are computationally indistinguishable, even if the distinguisher has access to a magic oracle that inverts all commitments Com tag, where tag tag. a random transcript of Πtag uniquely defines a witness (even though not it is not computable in polynomial-time). We define this to be the witness implicit in the transcript in an instance of Π tag. Furthermore, we show that the implicit witness in Π tag is computable given access to O(tag,, ) for any tag tag. 4.2 The Non-Malleable Zero-Knowledge Argument System The non-malleable ZK protocol consists of two instances of the protocol Π tag running in conjunction, one of them initiated by the verifier and the other initiated by the prover. We will denote the copy of Π tag initiated by the verifier as Π V tag and the one initiated by the prover as Π P tag. Recall that Π tag is a parallelized version of a 3-round protocol Π tag ; let A i, C i and Z i denote the messages in the i th repetion in these three rounds. In the description of the protocol, we let messages in the protocol Π V tag (resp. Π P tag) appear with a superscript of V (resp. P ). Theorem 4. Assume that Com is a non-interactive adaptively secure commitment scheme. Then, the protocol in Figure 1 is a 4-round non-malleable zeroknowledge argument system. Proof (Sketch). Completeness, soundness and zero-knowledge properties of the protocol follow directly from the corresponding properties of the Feige-Shamir protocol. In Lemma 4, we show that the protocol non-malleable. In other words, for every man-in-the-middle adversary A that interacts with the prover P tag on a statement x and convinces the verifier V tag (for a tag tag) in a right-interaction on a statement x (possibly the same as x), we construct a stand-alone prover that convinces the verifier on x with the same probability as A, but without access to the left-interaction. The construction of the stand-alone prover in the proof of non-malleability (see Lemma 4) relies on the adaptive security of the commitment scheme Com tag. It is important to note that the stand-alone prover itself runs in classical polynomial-time, and in particular does not use any oracles. Access to the commitment-inversion oracle is used only to show that the stand-alone prover works as expected (and in particular, that it convinces the verifier with the same probability as does the MIM adversary). Lemma 4. The protocol NM tag in Figure 1 is non-malleable. Proof (Sketch). For every man-in-the-middle adversary A, we construct a standalone prover S: the construction of the stand-alone prover S proceeds in three steps.

14 Non-Malleable Zero-Knowledge Argument NM tag Common Input: An instance x {0, 1} n, presumably in the language L. Prover Input: A witness w such that (x, w) R L. round 1: (Verifier) Pick w 1 and w 2 at random and compute x i = f(w i) for i {1, 2}. Let the N P-relation R V = {((x 1, x 2), w ) either f(w ) = x 1 or f(w ) = x 2}. Initiate the WI protocol Πtag V with the statement (x 1, x 2) L V. In particular, V P : Send (x 1, x 2) to P. Send A V 1, A V 2,..., A V n to P. round 2: (Prover) Let the N P-relation R P be {((x, x 1, x 2), w) either (x, w) R L or f(w) = x 1 or f(w) = x 2} Initiate a WI protocol Πtag P with common input (x, x 1, x 2). Also, send the secondround messages of the protocol Πtag. V In particular, (2a) P V: Send A P 1, A P 2,..., A P n to V. (2b) P V: Send C1 V, C2 V,..., Cn V to V. round 3: (Verifier) Send round-2 challenges of the protocol Πtag P and round-3 responses of Πtag. V (3a) V P: Send C1 P,..., Cn P to P. (3b) V P: Send Z1 V,..., Zn V to P. round 4: (Prover) P verifies that the transcript {(A V i, Ci V, Zi V )} i [n] is accepting for the subprotocol Πtag. V If not, abort and send nothing to V. Else, P V: Send Z1 P,..., Zn P to V. V accepts iff the transcript {(A P i, Ci P, Zi P )} i [n] is accepting for the subprotocol Πtag. P Fig. 1. Non-Malleable Zero-knowledge Protocol NM tag for a language L 1. Run the adversary A with honestly generated verifier-messages on the right interaction, and extract the witness for the WIPOK Πtag V that the adversary initiates on the left interaction. 2. Use the witness thus obtained to simulate the left-interaction of the adversary A and rewind the WI proof of knowledge Πtag P it initiates on the right interaction to extract the witness w for the statement x. 3. Finally provide an honest proof to the outside verifier of the statement x using the tag tag and witness w. Carrying out this agenda involves a number of difficulties. We first describe how to accomplish Step 1. This is done by invoking the simulator for the Feige-Shamir protocol, and is described below. Informally, S extracts the witness w that the MIM A uses in the subprotocol Π V tag in the left-interaction. Then, S acts as the honest prover using the witness w in the protocol Π P tag. We now describe how to carry out Step 2 of the agenda, and show that at the end of Step 2, S extracts a witness for the statement x that the MIM adversary A uses in the right-interaction with essentially the same probability that A convinces the verifier on the right-interaction. S starts by running the protocol in

15 the left-interaction using the witness w it extracted using the strategy in Step 1. Consider the moment when A outputs the first message on the left (that is, the first message in the subprotocol Π V tag). Consider two cases. P tag x A x V tag P tag x A x V tag (1) (3 ) (1) (3 ) Fig. 2. Two scheduling strategies (i) on the left and (ii) on the right Case One: In the first case, A has not yet received the round-3 messages in the right interaction (that is, the challenges in the subprotocol Πtag P ) (See Figure 2(i)). In this case, the Round-1 message that A sends on the left interaction is independent of the Round-3 message in the right interaction. Now, S proceeds as follows: S runs the left-interaction as a normal prover P tag would with the fake-witness w, and rewinds the protocol Πtag P on the right-interaction to extract a witness for the statement x. Since the rewinding process does not change the messages in the right-interaction before round 3, S can use w to produce the left-interaction just as an honest prover with witness w would; note that we here rely on the property of the Feige-Shamir protocol that the first message sent by the prover (i.e., round 2) is independent of the statement and witness used. Case Two: In the second case, A has already received the challenges in the subprotocol Πtag P in the right interaction (See Figure 2(ii)). In this case, trying to rewind in the WIPOK Πtag P on the right is problematic, since A could change the first message on the left, every time it is fed with a different challenge in round-3 on the right-interaction. In this case, S proceeds as follows: Every time the extractor for the WIPOK Πtag P in the right-interaction rewinds, S repeats the entire procedure in Step 1 of the agenda to extract a witness w corresponding to the (potentially new) Round-1 message in the left interaction. S then simulates the left-interaction with the witness thus extracted. Note that due to the particular scheduling, the extraction procedure on the right-interaction is unaffected by the rewinding on the left. To analyze the correctness of the above simulator, we first show that the view generated by S following Step 1 of the agenda is indistinguishable from the view of A in a real interaction, even to a distinguisher that has access to the oracle O(tag,, ) that inverts Com tag for any tag tag. Then, we use this to show that the implicit witness in the transcript of the subprotocol Πtag P in the right-interaction is indistinguishable between the simulated and the real

16 execution. This means that the witness that S extracts from the right interaction of A is computationally indistinguishable from the witness that A uses in the real interaction. We defer an analysis of the running-time to the full version; intuitively it follows that the running-time in expectation is polynomial since when performing rewinding on the right, we can perfectly emulate the messages on the left with the same distribution as when generating the initial view in Stage 1. 5 CCA2-Secure Encryption Scheme Bellare and Rogaway [7] showed how to construct an efficient encryption scheme that is CCA2-secure in the random oracle model, starting from any trapdoor permutation. We show that the same scheme is CCA2-secure in the standard model (that is, without assuming random oracles) by instantiation their scheme with adaptively secure primitives. To prove security of the construction, we assume an adaptively secure variant of perfectly one-way hash functions (defined by Canetti [13]), and a family of trapdoor permutations that is hard to invert even with access to an oracle that inverts the perfectly one-way hash function. We note that Canetti [13] (define and) use perfectly one-way hashing with auxiliary input to prove IND-CPA security (semantic security) of the [7] construction. We sketch the notion of adaptively secure perfectly one-way hashing w.r.t auxiliary information and give a high-level intuition of the security proof; the complete definition and proof is deferred to the full version. Consider a family of functions H such that for a random function H H, it is computationally infeasible to distinguish between h H(r; s) (for random r, s) and a random value, even if the adversary is given (1) g(r), where g is an uninvertible function evaluated on the input r, and (2) access to an oracle that inverts every h h (namely, the oracle, given any h h, computes (r, s ) such that h = H(r ; s )). Theorem 5. Let TDPGen be a family of trapdoor permutations that are uninvertible with access to the H-inverting oracle, and let H be an adaptively secure perfectly one-way hash family with auxiliary information. Then, the scheme in Figure 3 is an IND-CCA2-secure encryption scheme. Proof (Idea). The proof is analogous to that for the two-key paradigm of Naor and Yung [26]. The main idea of the proof is that there are two ways to decrypt a ciphertext the first is using the trapdoor f 1 (as the legal decryption algorithm Dec does), and the second is using an oracle that inverts H. Given a ciphertext c = (c 0, c 1, c 2, s 1, s 2 ) and access to such an oracle, we first compute r such that H((r, s 1, c 1 ); s 2 ) = c 2, and check that c 0 = f(r ). If the check passes, output m = c 1 H(r ; s 1 ), otherwise output. This allows the simulator to answer the decryption queries of the adversary, given access to an oracle that inverts H. Even with access to such an oracle, the adversary can neither (1) invert f(r) on a new value r (since f is uninvertible even with access to the H-inverting

Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

This is a revised version of the extended abstract RSA OAEP is Secure under the RSA Assumption which appeared in Advances in Cryptology Proceedings of CRYPTO 2001 (19 23 august 2001, Santa Barbara, California,

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

COM S 687 Introduction to Cryptography October 19, 2006 Lecture 16: Non-Malleability and Public Key Encryption Lecturer: Rafael Pass Scribe: Michael George 1 Non-Malleability Until this point we have discussed

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

Guaranteed Slowdown, Generalized Encryption Scheme, and Function Sharing Yury Lifshits July 10, 2005 Abstract The goal of the paper is to construct mathematical abstractions of different aspects of real

Proceedings of the International Congress of Mathematicians Berkeley, California, USA, 1986 How to Prove a Theorem So No One Else Can Claim It MANUEL BLUM Goldwasser, Micali, and Rackoff [GMR] define for

Introduction to Cryptography Part 2: public-key cryptography Jean-Sébastien Coron January 2007 Public-key cryptography Invented by Diffie and Hellman in 1976. Revolutionized the field. Each user now has

Efficient Cryptographic Protocols Preventing Man-in-the-Middle Attacks Jonathan Katz Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in the Graduate School of

Enhanced Security Models for Network Protocols by Shabsi Walfish A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy Department of Computer Science

Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this

Group Blind Digital Signatures: Theory and Applications by Zulækar Amin Ramzan Submitted to the Department of Electrical Engineering and Computer Science in partial fulællment of the requirements for the